can you run terminal services and domain controller

Posted on 2009-02-10
Last Modified: 2013-11-21
Can you run a server as a domain controller and a terminal server at the same time?  If so is there anything specific I have to do.  I tried to setup a terminal server with activer directory it told me it need a domain controller which means i had to install the DC software along with DNS. When i went to log in as administrator it did.  But when i went to log in as a user it wouldnt let me. I did put the user in the remote desktop user group.
Question by:SBryden
    LVL 15

    Expert Comment

    Yes, because there is special settings in the user profile settings in AD that need to put in such the path for the terminal server session, etc. Look at this link for reference:
    I hope this helps.
    LVL 82

    Accepted Solution

    Note that it is NOT recommended to run terminal services on a DC; for security reasons because the ability to logon locally allows for more exploits than just network access, and because a terminal server is basically only a workstation that needs to have user applications installed. These applications can weaken the security of the machine as well, and they can make it more unstable. It's better to invest into a dedicated terminal server (which might actually save money -- or what does it cost if your DC/TS dies because of an end-user application going crazy, and you'll have to restore it while nobody can logon and work?).
    That said:
    Create a new domain local security group "D-RemoteDesktopDC" or whatever.
    Open the Terminal Services Configuration MMC from the Administrative Tools start menu; open the properties of the Rdp-tcp protocol under "Connections", go to the Security tab.
    Add the group you just created, and give it "User Access" and "Guest Access".
    From the Administrative Tools start menu start the Security Policy for Domain Controllers.
    Go to Windows Settings > Security Settings > Local Policies > User Rights Assignments; open the "Log on locally" right, add the group from above here as well.
    Now you can add a global group with your remote desktop users to the domain local group, and they'll be able to logon through RDP.

    Author Comment

    Thank you very much for this answer.  I have told my boss of this information.

    Featured Post

    Do email signature updates give you a headache?

    Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

    Join & Write a Comment

    Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
    Have you considered what group policies are backwards and forwards compatible? Windows Active Directory servers and clients use group policy templates to deploy sets of policies within your domain. But, there is a catch to deploying policies. The…
    This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
    In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

    731 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now